On Fri, 8 Dec 2023 at 07:39, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote: [...]> Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break. > Is there a workaround to allow scp/sftp to continue to work even for non-shell accounts?sftp should work regardless of the user's shell since it is invoked as a ssh subsystem which is independent of the shell channel. scp is built around the assumption that the shell is involved. It is possible for a restricted shell to allow scp and the arguments that it needs (there have been tools such as scponly and rssh) although it is very difficult to do this securely (rssh at least gave up trying entirely). I'd suggest not trying to support scp at all and concentrating on sftp. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren Tucker:> sftp should work regardless of the user's shell since it is invoked as > a ssh subsystem which is independent of the shell channel. > > scp is built around the assumption that the shell is involved.Wait, that is only true for the legacy protocol, right? Now that scp defaults to the SFTP protocol, its limitations in this regard should match those of sftp. -- Christian "naddy" Weisgerber naddy at mips.inka.de
On Fri, 8 Dec 2023, Darren Tucker wrote:> On Fri, 8 Dec 2023 at 07:39, Philip Prindeville > <philipp_subx at redfish-solutions.com> wrote: > [...] > > Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break. > > Is there a workaround to allow scp/sftp to continue to work even for non-shell accounts? > > sftp should work regardless of the user's shell since it is invoked as > a ssh subsystem which is independent of the shell channel.I'm pretty sure sshd executes subsystems using the user's configured shell. You should be able to use "Subsystem sftp internal-sftp" to skip the shell though. -d